Knowledge blog

Honeypot – Prevent your forms from SPAM posts using honeypot technique

It has been a big challenge to prevent from SPAM posts happening by bots. But it is something that we must take the measures before any serious exploits. There are various techniques such as Captcha the most popular but the problem is it may annoy your users by doing additional steps. Sometimes even you may lose some customers (think the customers are lazy). Also there are intelligent bots that can even predict the challenge text so it is not effective enough. There are other ways like question & answer but they too frustrate your users by doing additional steps.

What is Honeypot technique and how does it works?

The honeypot is a quickest but effective way to prevent from SPAM posts. It can be implemented in all your forms such as inquiry form, registration forms, comments and all others. The honeypot technique is all about adding one more hidden field and validating on submission that field has no value in it. Normally SPAM posts are created by bots. Since it is bot it may not be intelligence enough to see that is a dummy field and it enters value to all fields in the form. That is the technique we identify that is a bot filled submission.

Implementing Honeypot technique

Let’s assume you have a form with 2 fields Name and Email. So the form by default looks like this.

<input id="name" size="45" type="text" value="" />
<input id="email" size="35" type="text" value="" />

Now add an additional form field for name called duplicate name and set the display as none. So the form looks like below.

<input id="name" size="45" type="text" value="" />
<input id="duplicate-name" size="45" type="text" value="" />
<input id="email" size="35" type="text" value="" />

You have added the required field so let’s now validate. You can validate on form submission with whatever script you are using. Here I am using a simple PHP logic to validate.

if ($_POST['duplicate-name'] != “”) {
// oh this is funny bot trying to SPAM. Just skip from submission.
} else {
// Genuine, move ahead with submission.
}

So you now wonder how the simple trick works. After implementation you can feel the magic as well. It may look some effort to implement and if you are a non-coder then you may feel vague. But to stay away from the noise you need to do it. However the developers can just implement this in few minutes.

Note: If you are using WordPress or website CMS then there are some plugins available to opt-in honeypot technique, hence make a search on that.

Improve your Honeypot technique

Although the basic honeypot is implemented there are some tips to improve and make it more powerful.

  1. Use the autocomplete ‘off’ (best use as autocomplete=”none”) attribute to prevent the browsers filling auto values from cached entries.
  2. Don’t make the honeypot field name as simple. Ex: instead of “duplicate_name” you can have it like “duplicateName1Fqo34S”. So just not very easy to understand or assume.
  3. Instead of making the input tag invisible, place the input tag in a SPAM or Div tag and set that to hide. You can make the display invisible using css, js or any other way you prefer.
  4. Possible change this honepot field name periodically, so if someone has manually observed and added code to handle this on his bot may fail again.
  5. After validation still try to keep moving to your Thank you page or success message without saying SPAM detected or so. But behind the scene don’t make the submission. The most intelligence bots may try to scrap your success message and log them which in future the bot creator may use to overcome.
  6. Try to log the IP whenever the SPAM post is attempted. Analyze the IPs and block it at server level to avoid your server loads.

There are ways to prevent SPAM posts but the bots are improving hence there is no success rate of 100%. But with honeypot we have gotten the results up to 99% by implementing at least to 100s of customer websites. So let’s do the magic!!